Hopefully by now many of you will have read of the new and serious vulnerability in DNS servers that allows them to be spoofed easily and bypassing detection systems.Â We at Nominet are privy to the details of this vulnerability and can assure you that it is every bit as serious a threat as being portrayed in the various advisories being released by CERTs around the world.
Whilst it is based around a known vulnerability in DNS (the 16 bit ID field) it enables spoofing of a caching resolver with a very small number of packets, far less than might trigger any normal detection system.Â It can also be triggered remotely by various techniques, so an attacker does not need query access to your resolver to exploit the vulnerability.
The full details of the vulnerability will be released at BlackHat on August 6th, which gives a four week window for the upgrade of _all_ caching resolvers.Â Â This is something that we strongly urge you to do and a process that we have already begun.Â To be clear, this only applies to caching resolvers, not authoritative servers.
The main CERT vulnerability note is here (with links in it for every product)
If you use BIND then details of the patched versions are here.
If you use Microsoft DNS server then details are here.
If you wish to use a caching resolver that is built from the ground up for security, and already implements the mitigation technique, then please consider Unbound.Â If you use djbdns then that too already implements the interim mitigation technique of source port randomisation.
It should be clear to all those who work with DNS on a daily basis that the only true mechanism to prevent DNS spoofing techniques is DNSSEC and we all need to begin taking that seriously.
So please use this short window to upgrade your caching resolvers and iron out any issues that might arise before exploits of this vulberability are seen in the wild